It seems that several (most of?) the large privacy breaches have something in common: something smaller happened earlier that people didn’t pay enough attention to.
“Marriott’s Starwood Missed Chance to Detect Huge Data Breach Years Earlier, Cybersecurity Specialists Say,” The Wall Street Journal, December 2, 2018 (online). There was a prior breach in 2015 that, some say, could have been investigated more thoroughly.
Might this happen in your business? Say there’s a relatively minor breach, affecting a single client’s information. Or a minor compliance issue. You discover it and take action. But does the breach itself indicate weaknesses in your system of controls that may have broader implications? Do you change your training or other controls to reflect this experience, or the experience of others in your industry?
This brings to mind a common finding in accident investigations. Something small happened that could/should have put you on notice. But it was ignored or downplayed.
How does your organization deal with near-hits in the compliance or information governance space? Is this part of oversight? Or a part of effective knowledge management?
Filed under Analytics, Collect, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Knowledge Management, Management, Oversight, Privacy, Protect assets, Security, Third parties, Use
In the macro sense, one of the bits of information that we own, manage, and hopefully control is who we are. How does the government control and manage this?
“Banks Find Solutions for ID Fraud at DMV,” The Wall Street Journal, November 13, 2018 B10. Banks may use DMV databases to verify your online identity, because how you have to establish your identity to get a driver’s license normally involves you appearing in person and providing supporting documents.
Key to the process at the DMV is the trained person who checks your supporting documents. The banks want to leverage that person’s knowledge and experience, rather than relying on a bank manager to do it.
Where else in our lives do we rely on government employees rather than ourselves as a critical control?
Filed under Access, Accuracy, Controls, Data quality, Definition, Duty of Care, Governance, Information, Internal controls, Knowledge Management, Operations, Oversight, Privacy, Protect assets, Third parties, Use
I’m a bit of a knowledge management wonk, having been involved in the then-nascent KM movement within the inhouse legal community in the early 2000s. But there can be too much sharing.
“Sinclair Settles With U.S. on Ad-Sales Data,” The Wall Street Journal, November 8, 2018 B2. A media group settles lawsuit over alleged sharing of information among television station owners, that may have led to higher advertising rates.
An interesting side note is that this all came to light when Sinclair proposed to buy another company and had to undergo a government investigation.
Are there restrictions on how much information can be shared between and among competitors? Yes. They are call “antitrust laws.” And is there a risk of making a deal that subjects you to government scrutiny? Yes. The may discover all manner of minor and major sins.
Filed under Access, Communications, Compliance, Compliance (General), Controls, Corporation, Discovery, Duty, Governance, Information, Internal controls, Knowledge Management, Oversight
“Secret Formula, Intelligence Tests Fuel Buyout Firm,” The Wall Street Journal, July 10, 2018 A1. Private equity fund has a list of 110 best practices, against which software companies are measured for investment.
How does the fund keep those secret, after a page-one story in the WSJ? Is it enough to maintain the practices “on a company server that makes a record every time anyone downloads or prints them”?
But reusing ideas that have worked in the past makes sense.
The value of information is in its use, or perhaps in the ability to prevent others from using it.
“H&M Ramps Up Data Use,” The Wall Street Journal, May 8, 20189 B4. Store chain mines social media to identify and track trends, and analyses store-specific information to determine what to stock in that store.
So, they use a common technology approach to data analysis chain-wide to derive a store-specific stocking strategy. They find that computers don’t get distracted by emotions as much as humans.
Filed under Access, Analytics, Collect, Information, IT, Knowledge Management, Management, Operations, Use, Use, Value
How do you forecast what information the company will need twenty years from now, long after your retirement?
“First Job of Dismantling Nuclear Plants: Find a Russian Speaker,” The Wall Street Journal, June 12, 2017 A1. Dismantling engineers encounter problems when trying to decontaminate and tear down an old nuclear facility. The engineering drawings are not necessarily accurate as-built diagrams, and a lot of the language is Russian.
An organization needs a lot of information. One area is “What information will we need when it’s time to dismantle this great thing we just built?” Is this information governance, records management, or knowledge management? Does it matter? Who owns this problem? This same problem came up in my prior life when looking at the information requirements to shut down and dismantle a North Sea oil platform – a lot of that information needs to be captured at the front end and during the life of the facility, and maintained until the facility is removed.
How did a frequent flier make the best use of his story of being bumped from his flight and not getting the legally required compensation? He shared that information with others on-line.
“When United Bumped This Flier, He Fought Back,” The Wall Street Journal, November 10, 2016 D1. The bumped flier share his story on-line through FlyerTalk and others pitched in with suggestions on how to work his claim through the process. Settlement offer originally $373. Final settlement: ~$2,000.
The value of information depends on how you use it. Knowing what you don’t know is a step towards finding others who do know. What’s the all-in cost of this dispute to United? Did United comply with the Denied Boarding Compensation rules?
Exchanging information is a big part of knowledge management, and is generally viewed as good. Not so when the exchange is between competitors.
“U.S. Sues DirecTV, Alleging Collusion,” The Wall Street Journal, November 3, 2016 B1. DOJ sued, alleging unlawful information sharing between DirecTV and various other cable TV operators over whether they were going to pay to carry LA Dodger baseball games.
All dealings between horizontally aligned competitors are suspect. Sharing price information is illegal per se. But sharing “information” about whether you are going to do something can also be objectionable.
A former real estate agent who used to come into the restaurant where I worked before law school stood up at a trade association meeting and said something like “I don’t know what the rest of you are going to do, but I am holding firm at a 6% commission.” He then walked out. He was convicted of price fixing.
Is this an antitrust or compliance issue or an information governance issue? Does it matter?
Lots of stories in the news about various car makers playing fast and loose with the estimated mileage statistics.
“GM Stops Sale of Crossover Wagons to Correct Mileage Labels,” The Wall Street Journal, May 14, 2016 B3. An “inadvertent error” led to overstating the mileage estimates.
How come the inadvertent errors never go the “other” way?
If one of your competitors has a problem, do you have it too?
Filed under Accuracy, Business Case, Communications, Compliance, Compliance, Governance, Information, Knowledge Management, Management, Oversight, Risk
While the model is not perfect, is world governance significantly different from corporate governance?
“U.S. Seeks Stronger Intelligence Ties With Belgium,” The Wall Street Journal, May 9, 2016 A7. US wants Belgium to share Belgium’s intelligence on the migration of foreign fighters.
Is this the same problem corporations have internally, when one division or office doesn’t share information with others within the family? Is this culture?